1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "policy/device_policy_impl.h" 6 7 #include <algorithm> 8 #include <memory> 9 #include <set> 10 #include <string> 11 12 #include <base/containers/adapters.h> 13 #include <base/files/file_util.h> 14 #include <base/json/json_reader.h> 15 #include <base/logging.h> 16 #include <base/macros.h> 17 #include <base/memory/ptr_util.h> 18 #include <base/time/time.h> 19 #include <base/values.h> 20 #include <openssl/evp.h> 21 #include <openssl/x509.h> 22 23 #include "bindings/chrome_device_policy.pb.h" 24 #include "bindings/device_management_backend.pb.h" 25 #include "policy/policy_util.h" 26 #include "policy/resilient_policy_util.h" 27 28 namespace em = enterprise_management; 29 30 namespace policy { 31 32 // Maximum value of RollbackAllowedMilestones policy. 33 const int kMaxRollbackAllowedMilestones = 4; 34 35 namespace { 36 const char kPolicyPath[] = "/var/lib/whitelist/policy"; 37 const char kPublicKeyPath[] = "/var/lib/whitelist/owner.key"; 38 39 // Reads the public key used to sign the policy from |key_file| and stores it 40 // in |public_key|. Returns true on success. 41 bool ReadPublicKeyFromFile(const base::FilePath& key_file, 42 std::string* public_key) { 43 if (!base::PathExists(key_file)) 44 return false; 45 public_key->clear(); 46 if (!base::ReadFileToString(key_file, public_key) || public_key->empty()) { 47 LOG(ERROR) << "Could not read public key off disk"; 48 return false; 49 } 50 return true; 51 } 52 53 // Verifies that the |signed_data| has correct |signature| with |public_key|. 54 bool VerifySignature(const std::string& signed_data, 55 const std::string& signature, 56 const std::string& public_key) { 57 EVP_MD_CTX ctx; 58 EVP_MD_CTX_init(&ctx); 59 60 const EVP_MD* digest = EVP_sha1(); 61 62 char* key = const_cast<char*>(public_key.data()); 63 BIO* bio = BIO_new_mem_buf(key, public_key.length()); 64 if (!bio) { 65 EVP_MD_CTX_cleanup(&ctx); 66 return false; 67 } 68 69 EVP_PKEY* public_key_ssl = d2i_PUBKEY_bio(bio, nullptr); 70 if (!public_key_ssl) { 71 BIO_free_all(bio); 72 EVP_MD_CTX_cleanup(&ctx); 73 return false; 74 } 75 76 const unsigned char* sig = 77 reinterpret_cast<const unsigned char*>(signature.data()); 78 int rv = EVP_VerifyInit_ex(&ctx, digest, nullptr); 79 if (rv == 1) { 80 EVP_VerifyUpdate(&ctx, signed_data.data(), signed_data.length()); 81 rv = EVP_VerifyFinal(&ctx, sig, signature.length(), public_key_ssl); 82 } 83 84 EVP_PKEY_free(public_key_ssl); 85 BIO_free_all(bio); 86 EVP_MD_CTX_cleanup(&ctx); 87 88 return rv == 1; 89 } 90 91 // Decodes the connection type enum from the device settings protobuf to string 92 // representations. The strings must match the connection manager definitions. 93 std::string DecodeConnectionType(int type) { 94 static const char* const kConnectionTypes[] = { 95 "ethernet", "wifi", "wimax", "bluetooth", "cellular", 96 }; 97 98 if (type < 0 || type >= static_cast<int>(arraysize(kConnectionTypes))) 99 return std::string(); 100 101 return kConnectionTypes[type]; 102 } 103 104 // TODO(adokar): change type to base::Optional<int> when available. 105 int ConvertDayOfWeekStringToInt(const std::string& day_of_week_str) { 106 if (day_of_week_str == "Sunday") return 0; 107 if (day_of_week_str == "Monday") return 1; 108 if (day_of_week_str == "Tuesday") return 2; 109 if (day_of_week_str == "Wednesday") return 3; 110 if (day_of_week_str == "Thursday") return 4; 111 if (day_of_week_str == "Friday") return 5; 112 if (day_of_week_str == "Saturday") return 6; 113 return -1; 114 } 115 116 bool DecodeWeeklyTimeFromValue(const base::DictionaryValue& dict_value, 117 int* day_of_week_out, 118 base::TimeDelta* time_out) { 119 std::string day_of_week_str; 120 if (!dict_value.GetString("day_of_week", &day_of_week_str)) { 121 LOG(ERROR) << "Day of the week is absent."; 122 return false; 123 } 124 *day_of_week_out = ConvertDayOfWeekStringToInt(day_of_week_str); 125 if (*day_of_week_out == -1) { 126 LOG(ERROR) << "Undefined day of the week: " << day_of_week_str; 127 return false; 128 } 129 130 int hours; 131 if (!dict_value.GetInteger("hours", &hours) || hours < 0 || hours > 23) { 132 LOG(ERROR) << "Hours are absent or are outside of the range [0, 24)."; 133 return false; 134 } 135 136 int minutes; 137 if (!dict_value.GetInteger("minutes", &minutes) || minutes < 0 || 138 minutes > 59) { 139 LOG(ERROR) << "Minutes are absent or are outside the range [0, 60)"; 140 return false; 141 } 142 143 *time_out = 144 base::TimeDelta::FromMinutes(minutes) + base::TimeDelta::FromHours(hours); 145 return true; 146 } 147 148 std::unique_ptr<base::ListValue> DecodeListValueFromJSON( 149 const std::string& json_string) { 150 std::string error; 151 std::unique_ptr<base::Value> decoded_json = 152 base::JSONReader::ReadAndReturnError(json_string, 153 base::JSON_ALLOW_TRAILING_COMMAS, 154 nullptr, &error); 155 if (!decoded_json) { 156 LOG(ERROR) << "Invalid JSON string: " << error; 157 return nullptr; 158 } 159 160 std::unique_ptr<base::ListValue> list_val = 161 base::ListValue::From(std::move(decoded_json)); 162 if (!list_val) { 163 LOG(ERROR) << "JSON string is not a list"; 164 return nullptr; 165 } 166 167 return list_val; 168 } 169 170 } // namespace 171 172 DevicePolicyImpl::DevicePolicyImpl() 173 : policy_path_(kPolicyPath), keyfile_path_(kPublicKeyPath) {} 174 175 DevicePolicyImpl::~DevicePolicyImpl() {} 176 177 bool DevicePolicyImpl::LoadPolicy() { 178 std::map<int, base::FilePath> sorted_policy_file_paths = 179 policy::GetSortedResilientPolicyFilePaths(policy_path_); 180 if (sorted_policy_file_paths.empty()) 181 return false; 182 183 // Try to load the existent policy files one by one in reverse order of their 184 // index until we succeed. The default policy, if present, appears as index 0 185 // in the map and is loaded the last. This is intentional as that file is the 186 // oldest. 187 bool policy_loaded = false; 188 for (const auto& map_pair : base::Reversed(sorted_policy_file_paths)) { 189 const base::FilePath& policy_path = map_pair.second; 190 if (LoadPolicyFromFile(policy_path)) { 191 policy_loaded = true; 192 break; 193 } 194 } 195 196 return policy_loaded; 197 } 198 199 bool DevicePolicyImpl::GetPolicyRefreshRate(int* rate) const { 200 if (!device_policy_.has_device_policy_refresh_rate()) 201 return false; 202 *rate = static_cast<int>( 203 device_policy_.device_policy_refresh_rate().device_policy_refresh_rate()); 204 return true; 205 } 206 207 bool DevicePolicyImpl::GetUserWhitelist( 208 std::vector<std::string>* user_whitelist) const { 209 if (!device_policy_.has_user_whitelist()) 210 return false; 211 const em::UserWhitelistProto& proto = device_policy_.user_whitelist(); 212 user_whitelist->clear(); 213 for (int i = 0; i < proto.user_whitelist_size(); i++) 214 user_whitelist->push_back(proto.user_whitelist(i)); 215 return true; 216 } 217 218 bool DevicePolicyImpl::GetGuestModeEnabled(bool* guest_mode_enabled) const { 219 if (!device_policy_.has_guest_mode_enabled()) 220 return false; 221 *guest_mode_enabled = 222 device_policy_.guest_mode_enabled().guest_mode_enabled(); 223 return true; 224 } 225 226 bool DevicePolicyImpl::GetCameraEnabled(bool* camera_enabled) const { 227 if (!device_policy_.has_camera_enabled()) 228 return false; 229 *camera_enabled = device_policy_.camera_enabled().camera_enabled(); 230 return true; 231 } 232 233 bool DevicePolicyImpl::GetShowUserNames(bool* show_user_names) const { 234 if (!device_policy_.has_show_user_names()) 235 return false; 236 *show_user_names = device_policy_.show_user_names().show_user_names(); 237 return true; 238 } 239 240 bool DevicePolicyImpl::GetDataRoamingEnabled(bool* data_roaming_enabled) const { 241 if (!device_policy_.has_data_roaming_enabled()) 242 return false; 243 *data_roaming_enabled = 244 device_policy_.data_roaming_enabled().data_roaming_enabled(); 245 return true; 246 } 247 248 bool DevicePolicyImpl::GetAllowNewUsers(bool* allow_new_users) const { 249 if (!device_policy_.has_allow_new_users()) 250 return false; 251 *allow_new_users = device_policy_.allow_new_users().allow_new_users(); 252 return true; 253 } 254 255 bool DevicePolicyImpl::GetMetricsEnabled(bool* metrics_enabled) const { 256 if (!device_policy_.has_metrics_enabled()) 257 return false; 258 *metrics_enabled = device_policy_.metrics_enabled().metrics_enabled(); 259 return true; 260 } 261 262 bool DevicePolicyImpl::GetReportVersionInfo(bool* report_version_info) const { 263 if (!device_policy_.has_device_reporting()) 264 return false; 265 266 const em::DeviceReportingProto& proto = device_policy_.device_reporting(); 267 if (!proto.has_report_version_info()) 268 return false; 269 270 *report_version_info = proto.report_version_info(); 271 return true; 272 } 273 274 bool DevicePolicyImpl::GetReportActivityTimes( 275 bool* report_activity_times) const { 276 if (!device_policy_.has_device_reporting()) 277 return false; 278 279 const em::DeviceReportingProto& proto = device_policy_.device_reporting(); 280 if (!proto.has_report_activity_times()) 281 return false; 282 283 *report_activity_times = proto.report_activity_times(); 284 return true; 285 } 286 287 bool DevicePolicyImpl::GetReportBootMode(bool* report_boot_mode) const { 288 if (!device_policy_.has_device_reporting()) 289 return false; 290 291 const em::DeviceReportingProto& proto = device_policy_.device_reporting(); 292 if (!proto.has_report_boot_mode()) 293 return false; 294 295 *report_boot_mode = proto.report_boot_mode(); 296 return true; 297 } 298 299 bool DevicePolicyImpl::GetEphemeralUsersEnabled( 300 bool* ephemeral_users_enabled) const { 301 if (!device_policy_.has_ephemeral_users_enabled()) 302 return false; 303 *ephemeral_users_enabled = 304 device_policy_.ephemeral_users_enabled().ephemeral_users_enabled(); 305 return true; 306 } 307 308 bool DevicePolicyImpl::GetReleaseChannel(std::string* release_channel) const { 309 if (!device_policy_.has_release_channel()) 310 return false; 311 312 const em::ReleaseChannelProto& proto = device_policy_.release_channel(); 313 if (!proto.has_release_channel()) 314 return false; 315 316 *release_channel = proto.release_channel(); 317 return true; 318 } 319 320 bool DevicePolicyImpl::GetReleaseChannelDelegated( 321 bool* release_channel_delegated) const { 322 if (!device_policy_.has_release_channel()) 323 return false; 324 325 const em::ReleaseChannelProto& proto = device_policy_.release_channel(); 326 if (!proto.has_release_channel_delegated()) 327 return false; 328 329 *release_channel_delegated = proto.release_channel_delegated(); 330 return true; 331 } 332 333 bool DevicePolicyImpl::GetUpdateDisabled(bool* update_disabled) const { 334 if (!device_policy_.has_auto_update_settings()) 335 return false; 336 337 const em::AutoUpdateSettingsProto& proto = 338 device_policy_.auto_update_settings(); 339 if (!proto.has_update_disabled()) 340 return false; 341 342 *update_disabled = proto.update_disabled(); 343 return true; 344 } 345 346 bool DevicePolicyImpl::GetTargetVersionPrefix( 347 std::string* target_version_prefix) const { 348 if (!device_policy_.has_auto_update_settings()) 349 return false; 350 351 const em::AutoUpdateSettingsProto& proto = 352 device_policy_.auto_update_settings(); 353 if (!proto.has_target_version_prefix()) 354 return false; 355 356 *target_version_prefix = proto.target_version_prefix(); 357 return true; 358 } 359 360 bool DevicePolicyImpl::GetRollbackToTargetVersion( 361 int* rollback_to_target_version) const { 362 if (!device_policy_.has_auto_update_settings()) 363 return false; 364 365 const em::AutoUpdateSettingsProto& proto = 366 device_policy_.auto_update_settings(); 367 if (!proto.has_rollback_to_target_version()) 368 return false; 369 370 *rollback_to_target_version = proto.rollback_to_target_version(); 371 return true; 372 } 373 374 bool DevicePolicyImpl::GetRollbackAllowedMilestones( 375 int* rollback_allowed_milestones) const { 376 // This policy can be only set for devices which are enterprise enrolled. 377 if (!install_attributes_reader_->IsLocked()) 378 return false; 379 if (install_attributes_reader_->GetAttribute( 380 InstallAttributesReader::kAttrMode) != 381 InstallAttributesReader::kDeviceModeEnterprise && 382 install_attributes_reader_->GetAttribute( 383 InstallAttributesReader::kAttrMode) != 384 InstallAttributesReader::kDeviceModeEnterpriseAD) 385 return false; 386 387 if (device_policy_.has_auto_update_settings()) { 388 const em::AutoUpdateSettingsProto& proto = 389 device_policy_.auto_update_settings(); 390 if (proto.has_rollback_allowed_milestones()) { 391 // Policy is set, enforce minimum and maximum constraints. 392 *rollback_allowed_milestones = proto.rollback_allowed_milestones(); 393 if (*rollback_allowed_milestones < 0) 394 *rollback_allowed_milestones = 0; 395 if (*rollback_allowed_milestones > kMaxRollbackAllowedMilestones) 396 *rollback_allowed_milestones = kMaxRollbackAllowedMilestones; 397 return true; 398 } 399 } 400 // Policy is not present, use default for enterprise devices. 401 VLOG(1) << "RollbackAllowedMilestones policy is not set, using default 0."; 402 *rollback_allowed_milestones = 0; 403 return true; 404 } 405 406 bool DevicePolicyImpl::GetScatterFactorInSeconds( 407 int64_t* scatter_factor_in_seconds) const { 408 if (!device_policy_.has_auto_update_settings()) 409 return false; 410 411 const em::AutoUpdateSettingsProto& proto = 412 device_policy_.auto_update_settings(); 413 if (!proto.has_scatter_factor_in_seconds()) 414 return false; 415 416 *scatter_factor_in_seconds = proto.scatter_factor_in_seconds(); 417 return true; 418 } 419 420 bool DevicePolicyImpl::GetAllowedConnectionTypesForUpdate( 421 std::set<std::string>* connection_types) const { 422 if (!device_policy_.has_auto_update_settings()) 423 return false; 424 425 const em::AutoUpdateSettingsProto& proto = 426 device_policy_.auto_update_settings(); 427 if (proto.allowed_connection_types_size() <= 0) 428 return false; 429 430 for (int i = 0; i < proto.allowed_connection_types_size(); i++) { 431 std::string type = DecodeConnectionType(proto.allowed_connection_types(i)); 432 if (!type.empty()) 433 connection_types->insert(type); 434 } 435 return true; 436 } 437 438 bool DevicePolicyImpl::GetOpenNetworkConfiguration( 439 std::string* open_network_configuration) const { 440 if (!device_policy_.has_open_network_configuration()) 441 return false; 442 443 const em::DeviceOpenNetworkConfigurationProto& proto = 444 device_policy_.open_network_configuration(); 445 if (!proto.has_open_network_configuration()) 446 return false; 447 448 *open_network_configuration = proto.open_network_configuration(); 449 return true; 450 } 451 452 bool DevicePolicyImpl::GetOwner(std::string* owner) const { 453 if (IsEnterpriseManaged()) { 454 *owner = ""; 455 return true; 456 } 457 458 if (!policy_data_.has_username()) 459 return false; 460 *owner = policy_data_.username(); 461 return true; 462 } 463 464 bool DevicePolicyImpl::GetHttpDownloadsEnabled( 465 bool* http_downloads_enabled) const { 466 if (!device_policy_.has_auto_update_settings()) 467 return false; 468 469 const em::AutoUpdateSettingsProto& proto = 470 device_policy_.auto_update_settings(); 471 472 if (!proto.has_http_downloads_enabled()) 473 return false; 474 475 *http_downloads_enabled = proto.http_downloads_enabled(); 476 return true; 477 } 478 479 bool DevicePolicyImpl::GetAuP2PEnabled(bool* au_p2p_enabled) const { 480 if (!device_policy_.has_auto_update_settings()) 481 return false; 482 483 const em::AutoUpdateSettingsProto& proto = 484 device_policy_.auto_update_settings(); 485 486 if (!proto.has_p2p_enabled()) 487 return false; 488 489 *au_p2p_enabled = proto.p2p_enabled(); 490 return true; 491 } 492 493 bool DevicePolicyImpl::GetAllowKioskAppControlChromeVersion( 494 bool* allow_kiosk_app_control_chrome_version) const { 495 if (!device_policy_.has_allow_kiosk_app_control_chrome_version()) 496 return false; 497 498 const em::AllowKioskAppControlChromeVersionProto& proto = 499 device_policy_.allow_kiosk_app_control_chrome_version(); 500 501 if (!proto.has_allow_kiosk_app_control_chrome_version()) 502 return false; 503 504 *allow_kiosk_app_control_chrome_version = 505 proto.allow_kiosk_app_control_chrome_version(); 506 return true; 507 } 508 509 bool DevicePolicyImpl::GetUsbDetachableWhitelist( 510 std::vector<UsbDeviceId>* usb_whitelist) const { 511 if (!device_policy_.has_usb_detachable_whitelist()) 512 return false; 513 const em::UsbDetachableWhitelistProto& proto = 514 device_policy_.usb_detachable_whitelist(); 515 usb_whitelist->clear(); 516 for (int i = 0; i < proto.id_size(); i++) { 517 const em::UsbDeviceIdProto& id = proto.id(i); 518 UsbDeviceId dev_id; 519 dev_id.vendor_id = id.has_vendor_id() ? id.vendor_id() : 0; 520 dev_id.product_id = id.has_product_id() ? id.product_id() : 0; 521 usb_whitelist->push_back(dev_id); 522 } 523 return true; 524 } 525 526 bool DevicePolicyImpl::GetDeviceUpdateStagingSchedule( 527 std::vector<DayPercentagePair>* staging_schedule_out) const { 528 staging_schedule_out->clear(); 529 530 if (!device_policy_.has_auto_update_settings()) 531 return false; 532 533 const em::AutoUpdateSettingsProto &proto = 534 device_policy_.auto_update_settings(); 535 536 if (!proto.has_staging_schedule()) 537 return false; 538 539 std::unique_ptr<base::ListValue> list_val = 540 DecodeListValueFromJSON(proto.staging_schedule()); 541 if (!list_val) 542 return false; 543 544 for (base::Value* const& pair_value : *list_val) { 545 base::DictionaryValue* day_percentage_pair; 546 if (!pair_value->GetAsDictionary(&day_percentage_pair)) 547 return false; 548 int days, percentage; 549 if (!day_percentage_pair->GetInteger("days", &days) || 550 !day_percentage_pair->GetInteger("percentage", &percentage)) 551 return false; 552 // Limit the percentage to [0, 100] and days to [1, 28]; 553 staging_schedule_out->push_back({std::max(std::min(days, 28), 1), 554 std::max(std::min(percentage, 100), 0)}); 555 } 556 557 return true; 558 } 559 560 bool DevicePolicyImpl::GetAutoLaunchedKioskAppId( 561 std::string* app_id_out) const { 562 if (!device_policy_.has_device_local_accounts()) 563 return false; 564 565 const em::DeviceLocalAccountsProto& local_accounts = 566 device_policy_.device_local_accounts(); 567 568 // For auto-launched kiosk apps, the delay needs to be 0. 569 if (local_accounts.has_auto_login_delay() && 570 local_accounts.auto_login_delay() != 0) 571 return false; 572 573 for (const em::DeviceLocalAccountInfoProto& account : 574 local_accounts.account()) { 575 // If this isn't an auto-login account, move to the next one. 576 if (account.account_id() != local_accounts.auto_login_id()) 577 continue; 578 579 // If the auto-launched account is not a kiosk app, bail out, we aren't 580 // running in auto-launched kiosk mode. 581 if (account.type() != 582 em::DeviceLocalAccountInfoProto::ACCOUNT_TYPE_KIOSK_APP) { 583 return false; 584 } 585 586 *app_id_out = account.kiosk_app().app_id(); 587 return true; 588 } 589 590 // No auto-launched account found. 591 return false; 592 } 593 594 bool DevicePolicyImpl::IsEnterpriseManaged() const { 595 if (policy_data_.has_management_mode()) 596 return policy_data_.management_mode() == em::PolicyData::ENTERPRISE_MANAGED; 597 // Fall back to checking the request token, see management_mode documentation 598 // in device_management_backend.proto. 599 return policy_data_.has_request_token(); 600 } 601 602 bool DevicePolicyImpl::GetSecondFactorAuthenticationMode(int* mode_out) const { 603 if (!device_policy_.has_device_second_factor_authentication()) 604 return false; 605 606 const em::DeviceSecondFactorAuthenticationProto& proto = 607 device_policy_.device_second_factor_authentication(); 608 609 if (!proto.has_mode()) 610 return false; 611 612 *mode_out = proto.mode(); 613 return true; 614 } 615 616 bool DevicePolicyImpl::GetDisallowedTimeIntervals( 617 std::vector<WeeklyTimeInterval>* intervals_out) const { 618 intervals_out->clear(); 619 620 if (!device_policy_.has_auto_update_settings()) { 621 return false; 622 } 623 624 const em::AutoUpdateSettingsProto& proto = 625 device_policy_.auto_update_settings(); 626 627 if (!proto.has_disallowed_time_intervals()) { 628 return false; 629 } 630 631 std::unique_ptr<base::ListValue> list_val = 632 DecodeListValueFromJSON(proto.disallowed_time_intervals()); 633 if (!list_val) 634 return false; 635 636 for (base::Value* const& interval_value : *list_val) { 637 base::DictionaryValue* interval_dict; 638 if (!interval_value->GetAsDictionary(&interval_dict)) { 639 LOG(ERROR) << "Invalid JSON string given. Interval is not a dict."; 640 return false; 641 } 642 base::DictionaryValue* start; 643 base::DictionaryValue* end; 644 if (!interval_dict->GetDictionary("start", &start) || 645 !interval_dict->GetDictionary("end", &end)) { 646 LOG(ERROR) << "Interval is missing start/end."; 647 return false; 648 } 649 WeeklyTimeInterval weekly_interval; 650 if (!DecodeWeeklyTimeFromValue(*start, &weekly_interval.start_day_of_week, 651 &weekly_interval.start_time) || 652 !DecodeWeeklyTimeFromValue(*end, &weekly_interval.end_day_of_week, 653 &weekly_interval.end_time)) { 654 return false; 655 } 656 657 intervals_out->push_back(weekly_interval); 658 } 659 return true; 660 } 661 662 bool DevicePolicyImpl::VerifyPolicyFile(const base::FilePath& policy_path) { 663 if (!verify_root_ownership_) { 664 return true; 665 } 666 667 // Both the policy and its signature have to exist. 668 if (!base::PathExists(policy_path) || !base::PathExists(keyfile_path_)) { 669 return false; 670 } 671 672 // Check if the policy and signature file is owned by root. 673 struct stat file_stat; 674 stat(policy_path.value().c_str(), &file_stat); 675 if (file_stat.st_uid != 0) { 676 LOG(ERROR) << "Policy file is not owned by root!"; 677 return false; 678 } 679 stat(keyfile_path_.value().c_str(), &file_stat); 680 if (file_stat.st_uid != 0) { 681 LOG(ERROR) << "Policy signature file is not owned by root!"; 682 return false; 683 } 684 return true; 685 } 686 687 bool DevicePolicyImpl::VerifyPolicySignature() { 688 if (policy_.has_policy_data_signature()) { 689 std::string policy_data = policy_.policy_data(); 690 std::string policy_data_signature = policy_.policy_data_signature(); 691 std::string public_key; 692 if (!ReadPublicKeyFromFile(base::FilePath(keyfile_path_), &public_key)) { 693 LOG(ERROR) << "Could not read owner key off disk"; 694 return false; 695 } 696 if (!VerifySignature(policy_data, policy_data_signature, public_key)) { 697 LOG(ERROR) << "Signature does not match the data or can not be verified!"; 698 return false; 699 } 700 return true; 701 } 702 LOG(ERROR) << "The policy blob is not signed!"; 703 return false; 704 } 705 706 bool DevicePolicyImpl::LoadPolicyFromFile(const base::FilePath& policy_path) { 707 std::string policy_data_str; 708 if (policy::LoadPolicyFromPath(policy_path, &policy_data_str, &policy_) != 709 LoadPolicyResult::kSuccess) { 710 return false; 711 } 712 if (!policy_.has_policy_data()) { 713 LOG(ERROR) << "Policy on disk could not be parsed!"; 714 return false; 715 } 716 if (!policy_data_.ParseFromString(policy_.policy_data()) || 717 !policy_data_.has_policy_value()) { 718 LOG(ERROR) << "Policy on disk could not be parsed!"; 719 return false; 720 } 721 722 bool verify_policy = verify_policy_; 723 if (!install_attributes_reader_) { 724 install_attributes_reader_ = std::make_unique<InstallAttributesReader>(); 725 } 726 const std::string& mode = install_attributes_reader_->GetAttribute( 727 InstallAttributesReader::kAttrMode); 728 if (mode == InstallAttributesReader::kDeviceModeEnterpriseAD) { 729 verify_policy = false; 730 } 731 if (verify_policy && !VerifyPolicyFile(policy_path)) { 732 return false; 733 } 734 735 // Make sure the signature is still valid. 736 if (verify_policy && !VerifyPolicySignature()) { 737 LOG(ERROR) << "Policy signature verification failed!"; 738 return false; 739 } 740 if (!device_policy_.ParseFromString(policy_data_.policy_value())) { 741 LOG(ERROR) << "Policy on disk could not be parsed!"; 742 return false; 743 } 744 745 return true; 746 } 747 748 } // namespace policy 749
